2. Presentation
@LucBeirens
Chief Commissioner
Head of the Federal Computer Crime Unit
Belgian Federal Judicial Police
Direction Economical and financial crime
Chairman of the EU Cybercrime task force
representing the organization of heads of
national hightech crime units of the EU
3. Topics - overview
General trends today
Cyber crimes and cyber criminals today
What hinders the combat today ?
A proposal for an integrated response
Belgian experiences
4. General trends today
Evolution towards e-society
replace persons by e-applications
Interconnecting all systems (admin, industrial, control)
IP is common platform offered by many ISPs
integrating telephony / data / VPN & all new apps
=opportunities / Achilles tendon / scattered traces
Poor security in legacy applications and
protocols (userid+pw)=> identity fraud is easy
Enduser is not yet educated to act properly
5. What do criminals want ?
Become rich / powerfull
rapidly, easily, very big ROI
in an illegal way if needed
Destabilaze (e-)society
by causing troubles
6. How : cyber crimes today
e-fraud => give money to the criminals
spam => start for eFrauds / MW distrib
hacking =>
change content of your website (defacing)
transfer money from the hacked system
espionnage => know your victim
use of hacked system =>
storage / spam / proxy / DNS / CC / DDOS
DDOS distributed denial of service attacks
8. Webserver / node
Computer
Crash
Hacker
Internet
Info Access line
Cmd
blocked
My IP is x.y.z.z
Command & Botnet attack on a webserver / node
Control Server
9. Interesting DDOS
2004 UK : gambling website down (+ hoster + ISP)
2005 Netherlands : 2 botnets : millions of zombies
2005 Belgium : Commercial firm during social conflict
2006 Sweden : Gov websites after police raid on P2P
2007 Estonia : political inspired widespread DDOS attack
2008 Georgia : cyber war during military conflict
2010 Worldwide : Wikileaks cyberconflict
2011 – 2012 : Anonymous attacks on Gov sites
10. What are botnets used for ?
Getting data & making money !
Sometimes still for fun (scriptkiddies)
Spam distribution via Zombie
Click generation on banner publicity
Dialer installation on zombie to make premium rate calls
Spyware / malware / ransomware installation
Espionage : banking details / passwords / keylogging
Transactions via zombie PC
Capacity for distributed denial of service attacks DDOS
=> disturb functioning of internet device (server/router)
11.
12. Webserver / node
Hacker Knowledge server
Internet
trigger
event
MW update
Very frequent MW
update request
Malware update server
Command & Malware update / knowledge transfer
Control Server
13. Cyber criminal’s toolbox
malware => trojan horses
distribution via mail, p2p, social networks, websites
auto-update & auto-propagation in network
very high rate of new versions
remote control of infected systems
=> botnets
creation of knowledge databases
collected & keylogged info of infected pc
keyservers in safe haven countries
14. But the criminal cyber architecture
also includes ...
Underground fora and chatrooms
Botnets for hire
Malware on demand / off the shelf packages
Trade stolen Credit cards / credentials
Money laundering services
Organized Cyber criminals
take over / set up ISP’s
infiltrate in development firms
15. And the victims ?
Who ?
Communication networks and service providers
Companies especially transactional websites
Every internet user
Reaction
Unaware of incidents going on => dark number
Victims try to solve it themselves
Nearly no complaints made => dark number
Result ? The hackers go on developing botnets
16. Risks
Economical disaster
Large scale : critical infrastructure
Small scale : enterprise
Individual & corporate (secret) data
Loss of trust in e-society
17. Combined threat
What if abused by terrorists ? Cyber army ?
... simultaniously with a real world attack?
How will you handle the crisis ?
Your telephone system is not working !
18. Intermediate conclusions
Society is very dependant of ICT
eSociety is very vulnerable for attacks
Urgent need to reduce risks on critical ICT
Botnets as criminal cyber infrastructure
is common platform for lots of cybercrimes
=> undermine it and you reduce crime
19. Traditional way of law enforcement
to tackle cybercrime
Reactive
Register complaint => judicial case
Hotlines (or cooperation with)
(Eventualy) undercover operations
Proactive (?)
Who is doing what, where and how ?
Patrolling the net
Effective (?) but not undermining cybercriminals
20. What hinders an effective
combat of cyber crime ?
Unawareness and negligence end user
Lack of overall view on risks / incidents by
Enterprise managers
Political decision makers
Combating : everyone on his own
Lack of specialized investigators
Jurisdictions limited by national borders
Subscriber identity fraud
Mobility of the (criminal) services in cloud
21. What actions are needed ?
Everyone plays a role in e-security
We have to do it as partners
We have to do it in an integrated way
22. Goals for operational
cybercrime action plan
As “society” (= gov & private sector)
improve detection and get a view and act on
criminal cyberinfrastructure especially botnets
incidents threatening eSociety
Strengthen robustness of ICT eSociety
ISP’s / Enterprises / End users
Weaken and dismantle
the criminal cyberinfrastructure
Each partner within his role & competence
23. Preserve evidence Webserver / node
Report incident
Stop activity
Bring to court
Hacker
Internet
Take out of
order
Analyse to
identify hacker
& zombies Identify critical infrastructure
Alarm procedures
Preserve evidence
Prevent infection & MW autopropagation
Detect infections & desinfect
Botnetservers
CC, Knowledge, MW Actions against botnet architecture
24. Role of governments &
international organizations
Working according a strategy
Develop international plans & reaction schemes
for critical ICT infrastructure protection
Develop legal framework
Obligation to report cybercrime incidents
Obligation to secure your computersystem (?)
Possibility for ISP to cut off infected machines (?)
Obligation to respond to requests of Gov authority
when serious incidents happen
25. Telecommunications sector
Prevent / reduce SPAM
Have to make there infrastructure robust
Report serious incidents to CERT
Integrated reaction with authorities
Implement strong authentication in
internet protocols and services
Detect negligent end users & react/help/cut off
26. Enterprises
E-Security = business risk =>
management responsibility
Think about how to survive when
e-systems are under attack
Enforce detection of incidents – IDS ?
Report incidents to CERT ? to police ?
Integrate strong authentication in
e-business applications
27. Developers
Strong authentication
Use the strongest available but ...
Think as a hacker
How can a transaction on an infected PC
be intercepted ?
Store IP-addresses and timestamps
of the end user ! not of the router !
Needed in case of an incident !
28. Responsibilization of end user
Awareness raising => media
Training on e-security & attitude
already at school
in the enterprises
Obligation to secure his PC properly ?
29. Role of police and justice ?
Gather intelligence about Botnets
Dismantle botnet servers
in your country
Analyse Botnet-servers
to find traces to criminals
Focus on knowledge servers & CC servers
30. EU Council strategy :
COSI priorities and OAP ?
Standing Committee on Operational Cooperation on
Internal Security (COSI)
EU Council body based on Lisbon Treaty (Art 71 TFEU)
High-level representatives of MS Min Interior and EC
Tasks
to facilitate and ensure effective operational cooperation and
coordination in the field of EU internal security
to evaluate the general direction and efficiency of operational
cooperation
to assist the Council in reacting to terrorist attacks or natural or
man-made disasters (solidarity clause of Art 222 TFEU).
Overview COSI strategic goals and operational 30
action plans cybercrime
31. Harmony : the COSI
policy & implementation cycle
Normally : 4 year cycle except first cycle : 2 year
Policy
Create view on security risks and crime phenomenae
Determine priority domains (Cybercrime is prio 8)
Determine strategic goals 4 (2) year
Determine operational action plans OAP 1 year
1 Driver to follow up Cybercrime domain
1 or 2 leaders for each OAP
7 strategic goals
31
32. COSI Strategy goals
1. Common legal standard (adapted)
2. User identification by Internet Governance
3. Enhance Police & Justice cyber capabilities
4. Establish European Cybercrime Center
5. Strategy to disrupt crim ict infra esp. botnet
6. PPP for prevention and detection
7. Reporting systems in each MS
33. Strategic Goal 4
To establish the European Cybercrime Centre (ECC)
to become the focal point
in the fight against cybercrime in the Union
contributing to faster reactions
in the event of cyber attacks
Overview COSI strategic goals and operational 33
action plans cybercrime
34. European Cybercrime centre
Place, role, tasks, organization still not clear
Study by Rand Europe => decision 1st half 2012
At Europol ?
Improve law enforcement efforts tackling cybercrime
Tasks
Intelligence focal point : monitoring, detection, collection,
analysis, alerting, information => core AWF Cyborg ?
Develop a high level forensic capability
Liaise with MS LEA, industry and internet governance
R&D Develop good practices for prevention and PPP 34
35. Strategic Goal 5
To establish and implement
a common Union approach
to disrupt and dismantle
the criminal infrastructure in cyberspace,
especially botnets
35
38. Belgian experience
1 national FCCU +25 Regional CCU=175 officers
(computer forensics & cybercrime combat)
2 specialized Federal prosecutors
minimum 1 ICT reference prosecutor / district
FCCU analyses attacks on critical ICT infra
BelNIS Gov Network information security
Develops and organizes ICT security strategy
Problem : no central authority
Since 2009 : Cert.be for Gov and Critical infra
39. Belgian experience
eBanking fraud => start of Malware analysis
Gain insight in how it’s working
Leads to detection of botnet-servers / bogus ISP’s
Combined team cybercrime & financial investigators
Building trust with law enforcement with other
countries
Collaboration with several partners and organizations
=> Information send to & analysed by Cert.be
Effective in dismantling of Botnet-servers (70 since ‘09)
Impact of 1 Malware distribution server ? Analysis shows
2 months 1,5 million downloads, 300.000 unique IP’s
40. Problems
Botnet-servers often on victim’s servers
But is it really a victim ?
No knowledge-servers in BE
Language problem during analysis CC-server
Is it the role of the police / Cert ?
If Cert does it (eg Finland)
=> fast but do we go after criminals afterwards ?
Which incidents are severe enough to report to police ?
If police does it
Which botnet-servers do we analyse ?
Malware analysis => help from AV-industry ?
41. Do we really have an impact ?
Several hundreds of botnets
5.000 – 10.000 botnet servers world wide
Millions of infected end users
=> need for action in every country
42. Contact information
Federal Judicial Police
Direction for Economical and Financial crime
Federal Computer Crime Unit
Notelaarstraat 211 - 1000 Brussels – Belgium
Tel office : +32 2 743 74 74
Fax : +32 2 743 74 19
E-mail : luc.beirens@fccu.be
Twitter : @LucBeirens
Blog : LucBeirens.blogspot.com